The Cloud Shared Responsibility Model

12/02/2024

Cloud

Introduction

This will be one of my first posts on the site, and of all the topics I could choose from my area, I decided to tackle this one: shared responsibility in the cloud. The topic may seem familiar to some, even mundane… but for those who are just starting out with the cloud, or are unfamiliar with the subject, it is extremely important to learn about it.

In this post, I’m going to describe the shared responsibility model for the cloud in a very direct and succinct way. It will therefore be a short post that will serve as a reference for other posts, including the next one, which I am already developing in parallel.

Make yourself at home and enjoy reading.

What is Shared Responsibility

If there’s one thing most people are familiar with today, it’s the cloud. And of course, whether we like it or not, everyone ends up using some kind of cloud service today, whether it’s storing and retrieving photos, streams or entire systems accessible via the browser.

What few people know, especially those who work directly with AWS cloud providers, is that there is a cloud usage agreement. An agreement that you agree to from the moment you start using it.

This agreement is the shared responsibility model, and depending on the level of cloud service you are using, it will define what is your responsibility in terms of security, and what is the responsibility of the service provider. But one thing is certain: your data and access to the service will always be your responsibility.

Rights and duties

Here I will use two practical examples from major cloud service providers to show how shared responsibility works.

Google Cloud Shared Responsibility Model

To fully understand the shared responsibility model according to Google Cloud Platform (GCP), I’ll briefly explain the three cloud service models. They are basically divided by the user’s level of control and responsibility over computing resources.

IaaS (Infrastructure as a Service): the user has access to infrastructure resources such as storage, computing, networking and virtualization, but is responsible for the operating system, virtual machines, middleware and applications. The cloud provider manages the network, servers and virtualization and storage resources.
Public cloud providers such as AWS, Microsoft Azure and Google Cloud are examples of IaaS.
PaaS (Platform as a Service): the user has access to a platform for developing, running and managing applications, without having to create and maintain the infrastructure. The provider hosts the hardware and software components on its own infrastructure.
Some examples of PaaS are AWS Elastic Beanstalk, Heroku and Red Hat OpenShift.
SaaS (Software as a Service): the user has access to a cloud-based application, ready to use, which is managed by the service provider. The user only needs to connect to the application via a control dashboard or an API.
Dropbox, Salesforce, Google Apps and Red Hat Insights are some examples of SaaS.

Based on the models above, and looking at the diagram below, you can see the level of commitment of each party involved with the cloud service.

Diagram of user and cloud service provider responsibilities. Source: Shared responsibilities and shared destiny Google Cloud | Cloud Architecture Center

AWS Shared Responsibility Model

Slightly different from the GCP model, the shared responsibility model provided by Amazon Web Services (AWS) is based on the idea of “Responsibility FROM the Cloud” and “Responsibility IN the Cloud”.

As you can see, the model presented by AWS shows a more direct responsibility on the part of the user, which in the GCP model occurs when in an IaaS.

To put it this way makes it sound as if the platforms act differently with regard to responsibility, but they don’t. The context of each platform means that the model is presented differently. The context of each platform means that the model is presented in different ways. GCP, as a cloud provider, offers services that go beyond infrastructure, such as email accounts with Gmail, storage with Drive and Firebase as a development platform.

Shared Responsibility in Different Types of Services

To better understand how shared responsibility works in practice, I’m going to present how it applies to different types of cloud services:

IaaS (Infrastructure as a Service):

Imagine that you are using a virtual machine (VM) in the cloud. In this case, the cloud provider (such as AWS, Azure or GCP) is responsible for:

Physical security of the servers: keeping the data center secure, with physical access control, fire prevention systems, etc.
Infrastructure availability: ensuring that servers, networks and storage systems are working properly.
Network management: configure and maintain the network that connects your VM to the Internet and other resources.

You, as the user, are responsible for:

Operating system security: install and configure firewalls, antivirus and other security mechanisms in your VM’s operating system.
Access management: control who is allowed to access your VM and what actions they can perform.
Application security: protect the applications you install on the VM from vulnerabilities and attacks.

PaaS (Platform as a Service):

If you use a PaaS service to develop and host your applications, the cloud provider takes care of:

Platform security: keeping the development platform secure, including the operating system, application servers and development tools.
Infrastructure management: managing the hardware and software resources that support the platform.
Scalability and availability: ensuring that the platform is available and can scale to meet your needs.

Your responsibilities as a user include:

Application code security: developing secure code, free of vulnerabilities that can be exploited by attackers.
Data management: protecting the data that your application processes and stores.
Application security configuration: configure access permissions, authentication rules and other security mechanisms for your application.

SaaS (Software as a Service):

When you use software as a service, such as an email system or CRM, the cloud provider takes on most of the responsibility for security:

Infrastructure and software security: protecting the servers, network and software that make up the service.
Access management: controlling access to the service and user data.
Availability and backups: ensuring that the service is available and that your data is protected against loss.

Even so, you still have some important responsibilities:

Securing your account: choosing a strong password, enabling two-step authentication and protecting your access credentials.
User management: control the users who have access to the service within your organization.
Configuring access permissions: defining which users can access which data and functionalities within the service.

Remember that shared responsibility is a fundamental concept in the cloud. By understanding the responsibilities of each party, you can ensure the security of your data and applications in the cloud more effectively.

Closing…

There are several other cloud service providers on the market, and they all have the shared responsibility model in common. There may be slight variations from one to another, but the user will always be responsible for their data and the people who have access to their computing resources. While the provider guarantees the physical integrity and availability of the services.

I’d like to take this opportunity to say that if this content made sense to you or contributed in any way, please leave a comment below.

Tags:

AWS, Azure, Cloud Computing, GCP, Security

Share this content: